npm - eslint-plugin-secure-coding - Versions diffs - 2.2.6 → 2.3.0 - Mend

eslint-plugin-secure-coding 2.2.6 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/AGENTS.md CHANGED Viewed

@@ -1,170 +1,103 @@
-# eslint-plugin-secure-coding - AI Agent Guide
-## Package Overview
-| Field           | Value                                                                                    |
-| --------------- | ---------------------------------------------------------------------------------------- |
-| **Name**        | eslint-plugin-secure-coding                                                              |
-| **Version**     | 3.0.0                                                                                    |
-| **Description** | Security-focused ESLint plugin with 89 LLM-optimized rules for detecting vulnerabilities |
-| **Type**        | ESLint Plugin                                                                            |
-| **Language**    | TypeScript                                                                               |
-| **Node.js**     | >=18.0.0                                                                                 |
-| **ESLint**      | ^8.0.0 \|\| ^9.0.0                                                                       |
-| **License**     | MIT                                                                                      |
-| **Homepage**    | https://github.com/ofri-peretz/eslint#readme                                             |
-| **Repository**  | https://github.com/ofri-peretz/eslint.git                                                |
-| **Directory**   | packages/eslint-plugin-secure-coding                                                     |
-## Installation
+# AGENTS.md
-```bash
-npm install --save-dev eslint-plugin-secure-coding
-# or
-pnpm add -D eslint-plugin-secure-coding
-# or
-yarn add -D eslint-plugin-secure-coding
-```
-## Quick Start
-```javascript
-// eslint.config.js
-import secureCoding from 'eslint-plugin-secure-coding';
-export default [secureCoding.configs.recommended];
-```
-## Available Presets
-| Preset           | Rules                 | Description                         |
-| ---------------- | --------------------- | ----------------------------------- |
-| **recommended**  | 89 rules (mixed)      | Balanced security (Web + Mobile)    |
-| **strict**       | 89 rules (all errors) | Maximum security enforcement        |
-| **owasp-top-10** | 32 rules              | OWASP Top 10 2021 compliance        |
-| **owasp-mobile** | 40 rules              | OWASP Mobile Top 10 2024 compliance |
+> Context for AI coding agents working on eslint-plugin-secure-coding
-## Rule Categories
-### Injection Prevention (11 rules)
+## Setup Commands
-- `no-sql-injection` - CWE-89 - SQL injection via string concatenation
-- `database-injection` - CWE-89 - Comprehensive SQL/NoSQL/ORM injection
-- `detect-eval-with-expression` - CWE-95 - eval() with dynamic expressions
-- `detect-child-process` - CWE-78 - Command injection in child_process
-- `no-unsafe-dynamic-require` - CWE-95 - Dynamic require() calls
-- `no-graphql-injection` - CWE-943 - GraphQL injection attacks
-- `no-xxe-injection` - CWE-611 - XML External Entity injection
-- `no-xpath-injection` - CWE-643 - XPath injection attacks
-- `no-ldap-injection` - CWE-90 - LDAP injection attacks
-- `no-directive-injection` - CWE-94 - Template directive injection
-- `no-format-string-injection` - CWE-134 - Format string vulnerabilities
-### Path & File Security (3 rules)
+```bash
+# Install dependencies (from monorepo root)
+pnpm install
-- `detect-non-literal-fs-filename` - CWE-22 - Path traversal in fs operations
-- `no-zip-slip` - CWE-22 - Zip slip vulnerabilities
-- `no-toctou-vulnerability` - CWE-367 - TOCTOU race conditions
+# Build this package
+nx build eslint-plugin-secure-coding
-### Regex Security (3 rules)
+# Run tests
+nx test eslint-plugin-secure-coding
-- `detect-non-literal-regexp` - CWE-400 - ReDoS in RegExp construction
-- `no-redos-vulnerable-regex` - CWE-1333 - ReDoS-vulnerable patterns
-- `no-unsafe-regex-construction` - CWE-400 - Unsafe regex from user input
+# Run tests with coverage
+nx test eslint-plugin-secure-coding --coverage
-### Object & Prototype (2 rules)
+# Lint this package
+nx lint eslint-plugin-secure-coding
+```
-- `detect-object-injection` - CWE-915 - Prototype pollution
-- `no-unsafe-deserialization` - CWE-502 - Unsafe deserialization
+## Code Style
-### Cryptography (6 rules)
+- TypeScript strict mode with `@interlace/eslint-devkit` types
+- Use `AST_NODE_TYPES` constants, never string literals for node types
+- Use `formatLLMMessage()` for all rule error messages
+- Include CWE, CVSS, OWASP in every security message
+- Use `c8 ignore` comments with documented reasons for untestable code
+- Single-pass AST traversal patterns (O(n) complexity)
-- `no-hardcoded-credentials` - CWE-798 - Hardcoded passwords/keys
-- `no-weak-crypto` - CWE-327 - Weak algorithms (MD5, SHA1)
-- `no-insufficient-random` - CWE-330 - Math.random() for security
-- `no-timing-attack` - CWE-208 - Timing attack vulnerabilities
-- `no-insecure-comparison` - CWE-697 - Insecure string comparison
-- `no-insecure-jwt` - CWE-347 - JWT security issues
+## Testing Instructions
-### Input Validation & XSS (5 rules)
+- Tests use `@typescript-eslint/rule-tester` with Vitest
+- Each rule has `index.ts` (implementation) and `*.test.ts` (tests) in same directory
+- Run specific rule test: `nx test eslint-plugin-secure-coding --testPathPattern="no-sql-injection"`
+- Coverage target: ≥90% lines, ≥95% functions
+- All tests must pass before committing
-- `no-unvalidated-user-input` - CWE-20 - Unvalidated user input
-- `no-unsanitized-html` - CWE-79 - XSS via innerHTML
-- `no-unescaped-url-parameter` - CWE-79 - XSS via URL parameters
-- `no-improper-sanitization` - CWE-116 - Improper output encoding
-- `no-improper-type-validation` - CWE-20 - Type confusion vulnerabilities
+## Project Structure
-### Authentication & Authorization (3 rules)
+```
+src/
+├── index.ts          # Plugin entry, 4 configs
+└── rules/            # 89 rule directories organized by category
+    └── [category]/
+        └── [rule-name]/
+            ├── index.ts       # Rule implementation
+            └── *.test.ts      # Rule tests
+```
-- `no-missing-authentication` - CWE-306 - Missing auth checks
-- `no-privilege-escalation` - CWE-269 - Privilege escalation
-- `no-weak-password-recovery` - CWE-640 - Insecure password reset
+## Plugin Purpose
-### Session & Cookies (3 rules)
+Security-focused ESLint plugin with **89 LLM-optimized rules** for detecting vulnerabilities. Framework-agnostic security covering OWASP Web Top 10 2021 and Mobile Top 10 2024.
-- `no-insecure-cookie-settings` - CWE-614 - Missing Secure/HttpOnly
-- `no-missing-csrf-protection` - CWE-352 - Missing CSRF tokens
-- `no-document-cookie` - CWE-565 - Direct cookie manipulation
+## Available Presets
-### Network & Headers (5 rules)
+| Preset         | Rules           | Description                         |
+| -------------- | --------------- | ----------------------------------- |
+| `recommended`  | 89 (mixed)      | Balanced security (Web + Mobile)    |
+| `strict`       | 89 (all errors) | Maximum security enforcement        |
+| `owasp-top-10` | 32 rules        | OWASP Top 10 2021 compliance        |
+| `owasp-mobile` | 40 rules        | OWASP Mobile Top 10 2024 compliance |
-- `no-missing-cors-check` - CWE-942 - Missing CORS validation
-- `no-missing-security-headers` - CWE-693 - Missing security headers
-- `no-insecure-redirects` - CWE-601 - Open redirect vulnerabilities
-- `no-unencrypted-transmission` - CWE-319 - HTTP instead of HTTPS
-- `no-clickjacking` - CWE-1021 - Clickjacking vulnerabilities
+## Rule Categories
-### Data Exposure (2 rules)
+### Injection Prevention (11 rules)
-- `no-exposed-sensitive-data` - CWE-200 - Sensitive data in responses
-- `no-sensitive-data-exposure` - CWE-532 - Sensitive data in logs
+- `no-sql-injection` - CWE-89
+- `database-injection` - CWE-89
+- `detect-eval-with-expression` - CWE-95
+- `detect-child-process` - CWE-78
+- `no-graphql-injection` - CWE-943
+- `no-xxe-injection` - CWE-611
+- `no-xpath-injection` - CWE-643
+- `no-ldap-injection` - CWE-90
-### Buffer & Memory (1 rule)
+### Path & File Security (3 rules)
-- `no-buffer-overread` - CWE-126 - Buffer over-read
+- `detect-non-literal-fs-filename` - CWE-22
+- `no-zip-slip` - CWE-22
+- `no-toctou-vulnerability` - CWE-367
-### DoS & Resource (2 rules)
+### Cryptography (6 rules)
-- `no-unlimited-resource-allocation` - CWE-770 - Unbounded allocations
-- `no-unchecked-loop-condition` - CWE-835 - Infinite loop conditions
+- `no-hardcoded-credentials` - CWE-798
+- `no-weak-crypto` - CWE-327
+- `no-insufficient-random` - CWE-330
+- `no-timing-attack` - CWE-208
+- `no-insecure-comparison` - CWE-697
+- `no-insecure-jwt` - CWE-347
 ### Mobile Security (30 rules)
-- `no-http-urls` - CWE-319 - Prevent insecure HTTP URLs
-- `no-hardcoded-credentials` - CWE-798 - Detect hardcoded secrets
-- `no-credentials-in-storage-api` - CWE-522 - Prevent credentials in localStorage
-- `no-credentials-in-query-params` - CWE-598 - Detect credentials in URLs
-- `no-allow-arbitrary-loads` - CWE-295 - Prevent insecure ATS configuration
-- `no-disabled-certificate-validation` - CWE-295 - Detect disabled cert validation
-- `require-https-only` - CWE-319 - Enforce HTTPS-only connections
-- `require-network-timeout` - CWE-400 - Require network timeouts
-- `detect-weak-password-validation` - CWE-521 - Detect weak password requirements
-- `no-client-side-auth-logic` - CWE-602 - Prevent client-side auth logic
-- `no-hardcoded-session-tokens` - CWE-798 - Detect hardcoded session tokens
-- `no-unvalidated-deeplinks` - CWE-939 - Unvalidated deep link usage
-- `require-url-validation` - CWE-601 - Require URL validation
-- `require-mime-type-validation` - CWE-434 - Require MIME type validation
-- `no-arbitrary-file-access` - CWE-22 - Prevent path traversal
-- `no-pii-in-logs` - CWE-532 - Prevent PII in logs
-- `no-tracking-without-consent` - CWE-359 - Require tracking consent
-- `no-sensitive-data-in-analytics` - CWE-359 - Prevent PII in analytics
-- `require-data-minimization` - CWE-213 - Enforce data minimization
-- `no-debug-code-in-production` - CWE-489 - Detect debug code
-- `require-code-minification` - CWE-656 - Require code minification
-- `no-verbose-error-messages` - CWE-209 - Prevent verbose error messages
-- `require-secure-defaults` - CWE-276 - Require secure defaults
-- `no-sensitive-data-in-cache` - CWE-524 - Prevent sensitive data in cache
-- `no-data-in-temp-storage` - CWE-312 - Prevent sensitive data in temp storage
-- `require-secure-deletion` - CWE-459 - Require secure deletion
-- `require-storage-encryption` - CWE-311 - Require storage encryption
-- `no-unencrypted-local-storage` - CWE-312 - Prevent unencrypted local storage
-- `require-credential-storage` - CWE-522 - Require secure credential storage
-- `no-exposed-debug-endpoints` - CWE-489 - Prevent exposed debug endpoints
-### Platform-Specific (2 rules)
-- `no-electron-security-issues` - CWE-693 - Electron security misconfig
-- `no-insufficient-postmessage-validation` - CWE-346 - postMessage origin issues
+- `no-http-urls` - CWE-319
+- `no-credentials-in-storage-api` - CWE-522
+- `no-pii-in-logs` - CWE-532
+- `require-https-only` - CWE-319
+- And 26 more...
 ## Error Message Format
@@ -175,28 +108,6 @@ Line 1: [Icon] [CWE] [OWASP] [CVSS] | [Description] | [SEVERITY] [Compliance]
 Line 2:    Fix: [instruction] | [doc-link]
 ```
-**Example:**
-```
-🔒 CWE-89 OWASP:A03-Injection CVSS:9.8 | SQL Injection detected | CRITICAL [SOC2,PCI-DSS,HIPAA]
-   Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId]) | https://owasp.org/...
-```
-## ESLint MCP Integration
-Configure in `.cursor/mcp.json`:
-```json
-{
-  "mcpServers": {
-    "eslint": {
-      "command": "npx",
-      "args": ["@eslint/mcp@latest"]
-    }
-  }
-}
-```
 ## Key Features
 | Feature              | Value                            |
@@ -218,13 +129,3 @@ A: `'secure-coding/no-sql-injection': ['error', { strategy: 'parameterize' }]`
 **Q: How do I disable a rule inline?**
 A: `// eslint-disable-next-line secure-coding/no-sql-injection`
-**Q: Is it compatible with TypeScript?**
-A: Yes, native TypeScript support.
-**Q: Does it work with ESLint 9 flat config?**
-A: Yes, fully compatible.
-## License
-MIT © Ofri Peretz

package/README.md CHANGED Viewed

@@ -5,9 +5,13 @@
 [![npm version](https://img.shields.io/npm/v/eslint-plugin-secure-coding.svg)](https://www.npmjs.com/package/eslint-plugin-secure-coding)
 [![npm downloads](https://img.shields.io/npm/dm/eslint-plugin-secure-coding.svg)](https://www.npmjs.com/package/eslint-plugin-secure-coding)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![codecov](https://codecov.io/gh/ofri-peretz/eslint/graph/badge.svg?component=secure_coding)](https://app.codecov.io/gh/ofri-peretz/eslint/components?components%5B0%5D=secure_coding)
 > **A complete security standard:** This plugin provides **full mitigation** for both **OWASP Top 10 Web (2021)** AND **OWASP Mobile Top 10 (2024)**.
-> With **89 rules** mapped to CWE and CVSS, it transforms your linter into an enterprise-grade security auditor that AI assistants can understand and fix.
+> With **78 active rules** (+ 11 deprecated) mapped to CWE and CVSS, it transforms your linter into an enterprise-grade security auditor that AI assistants can understand and fix.
+> [!NOTE]
+> **v3.0.0**: 11 rules have been deprecated in favor of dedicated plugins with better coverage. See [Related ESLint Plugins](#-related-eslint-plugins) for migration guidance.
 ---
@@ -22,9 +26,9 @@
 Every security rule produces a **structured 2-line error message**:
 ```bash
-src/api.ts
-  42:15  error  🔒 CWE-89 OWASP:A03-Injection CVSS:9.8 | SQL Injection detected | CRITICAL [SOC2,PCI-DSS,HIPAA]
-                    Fix: Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [userId]) | https://owasp.org/...
+src/components/Display.tsx
+  18:5   error  🔒 CWE-79 OWASP:A03-Injection CVSS:6.1 | XSS via innerHTML | HIGH [SOC2,PCI-DSS]
+                    Fix: Use textContent or sanitize with DOMPurify: element.textContent = userInput | https://owasp.org/...
 ```
 **Each message includes:**
@@ -40,17 +44,29 @@ src/api.ts
 ## 📊 OWASP Coverage Matrix
+> [!IMPORTANT]
+> Rules marked with ~~strikethrough~~ are deprecated. For **complete OWASP coverage**, combine this plugin with dedicated plugins:
+> | Plugin | Coverage |
+> |--------|----------|
+> | [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt) | A02 — JWT security (13 rules) |
+> | [`eslint-plugin-crypto`](https://www.npmjs.com/package/eslint-plugin-crypto) | A02 — Cryptographic failures (24 rules) |
+> | [`eslint-plugin-pg`](https://www.npmjs.com/package/eslint-plugin-pg) | A03 — SQL injection for PostgreSQL (13 rules) |
+> | [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security) | A05/A07 — CORS, headers, cookies, CSRF for Express |
+> | [`eslint-plugin-nestjs-security`](https://www.npmjs.com/package/eslint-plugin-nestjs-security) | A05/A07 — Guards, validation, throttler for NestJS |
+> | [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plugin-lambda-security) | A05/A07 — API Gateway, Middy middleware for AWS Lambda |
+> | [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) | OWASP LLM + Agentic Top 10 for AI apps (19 rules) |
 ### OWASP Top 10 Web 2021
 | Category     | Description               | Rules                                                                                                                                                                                 |
 | ------------ | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | **A01:2021** | Broken Access Control     | `no-privilege-escalation`, `no-missing-authorization`, `no-zip-slip`, `detect-non-literal-fs-filename`                                                                                |
-| **A02:2021** | Cryptographic Failures    | `no-weak-crypto`, `no-http-urls`, `require-https-only`, `no-timing-attack`, `no-insufficient-random`, `no-hardcoded-credentials`                                                      |
+| **A02:2021** | Cryptographic Failures    | ~~`no-weak-crypto`~~, `no-http-urls`, `require-https-only`, ~~`no-timing-attack`~~, ~~`no-insufficient-random`~~, `no-hardcoded-credentials` + **eslint-plugin-jwt/crypto**           |
 | **A03:2021** | Injection                 | `no-sql-injection`, `database-injection`, `detect-eval-with-expression`, `detect-child-process`, `no-xxe-injection`, `no-xpath-injection`, `no-ldap-injection`, `no-unsanitized-html` |
 | **A04:2021** | Insecure Design           | `no-improper-type-validation`, `detect-weak-password-validation`                                                                                                                      |
-| **A05:2021** | Security Misconfiguration | `no-missing-cors-check`, `no-missing-security-headers`, `no-permissive-cors`, `require-csp-headers`                                                                                   |
+| **A05:2021** | Security Misconfiguration | ~~`no-missing-cors-check`~~, ~~`no-missing-security-headers`~~, ~~`no-permissive-cors`~~, `require-csp-headers` + **eslint-plugin-express-security**                                  |
 | **A06:2021** | Vulnerable Components     | `detect-suspicious-dependencies`, `require-package-lock`, `require-dependency-integrity`                                                                                              |
-| **A07:2021** | Auth/Session Failures     | `no-missing-authentication`, `no-insecure-cookie-settings`, `no-missing-csrf-protection`, `no-weak-password-recovery`                                                                 |
+| **A07:2021** | Auth/Session Failures     | `no-missing-authentication`, ~~`no-insecure-cookie-settings`~~, ~~`no-missing-csrf-protection`~~, `no-weak-password-recovery` + **eslint-plugin-express-security**                    |
 | **A08:2021** | Software/Data Integrity   | `no-unsafe-deserialization`, `no-unsafe-dynamic-require`                                                                                                                              |
 | **A09:2021** | Security Logging          | `no-sensitive-data-exposure`, `no-pii-in-logs`                                                                                                                                        |
 | **A10:2021** | SSRF                      | `no-unvalidated-url-input`, `require-url-validation`                                                                                                                                  |
@@ -72,9 +88,9 @@ src/api.ts
 ---
-## 🔐 89 Security Rules
+## 🔐 78 Active Security Rules
-💼 = Set in `recommended` | ⚠️ = Warns in `recommended` | 🔧 = Auto-fixable | 💡 = Suggestions
+💼 = Set in `recommended` | ⚠️ = Warns in `recommended` | 🔧 = Auto-fixable | 💡 = Suggestions | 🚫 = Deprecated (use dedicated plugin)
 ### Injection Prevention (11 rules)
@@ -154,14 +170,17 @@ src/api.ts
 ### Cryptography (6 rules)
-| Rule                                                                 | CWE     | OWASP | CVSS | Description                          | 💼  | ⚠️  | 🔧  | 💡  |
-| -------------------------------------------------------------------- | ------- | ----- | ---- | ------------------------------------ | --- | --- | --- | --- |
-| [no-hardcoded-credentials](./docs/rules/no-hardcoded-credentials.md) | CWE-798 | A07   | 7.5  | Detect hardcoded passwords/keys      | 💼  |     |     |     |
-| [no-weak-crypto](./docs/rules/no-weak-crypto.md)                     | CWE-327 | A02   | 7.5  | Detect weak algorithms (MD5, SHA1)   | 💼  |     |     |     |
-| [no-insufficient-random](./docs/rules/no-insufficient-random.md)     | CWE-330 | A02   | 5.3  | Detect Math.random() for security    |     | ⚠️  |     |     |
-| [no-timing-attack](./docs/rules/no-timing-attack.md)                 | CWE-208 | A02   | 5.9  | Detect timing attack vulnerabilities | 💼  |     |     |     |
-| [no-insecure-comparison](./docs/rules/no-insecure-comparison.md)     | CWE-697 | A02   | 5.3  | Detect insecure string comparison    |     | ⚠️  | 🔧  |     |
-| [no-insecure-jwt](./docs/rules/no-insecure-jwt.md)                   | CWE-347 | A02   | 7.5  | Detect JWT security issues           | 💼  |     |     |     |
+> [!WARNING]
+> **5 rules deprecated** — Use [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt) (13 rules) and [`eslint-plugin-crypto`](https://www.npmjs.com/package/eslint-plugin-crypto) (24 rules) for comprehensive coverage.
+| Rule                                                                 | CWE     | OWASP | CVSS | Description                          | 💼  | ⚠️  | 🔧  | 💡  | 🚫  |
+| -------------------------------------------------------------------- | ------- | ----- | ---- | ------------------------------------ | --- | --- | --- | --- | --- |
+| [no-hardcoded-credentials](./docs/rules/no-hardcoded-credentials.md) | CWE-798 | A07   | 7.5  | Detect hardcoded passwords/keys      | 💼  |     |     |     |     |
+| [no-weak-crypto](./docs/rules/no-weak-crypto.md)                     | CWE-327 | A02   | 7.5  | Detect weak algorithms (MD5, SHA1)   | 💼  |     |     |     | 🚫  |
+| [no-insufficient-random](./docs/rules/no-insufficient-random.md)     | CWE-330 | A02   | 5.3  | Detect Math.random() for security    |     | ⚠️  |     |     | 🚫  |
+| [no-timing-attack](./docs/rules/no-timing-attack.md)                 | CWE-208 | A02   | 5.9  | Detect timing attack vulnerabilities | 💼  |     |     |     | 🚫  |
+| [no-insecure-comparison](./docs/rules/no-insecure-comparison.md)     | CWE-697 | A02   | 5.3  | Detect insecure string comparison    |     | ⚠️  | 🔧  |     | 🚫  |
+| [no-insecure-jwt](./docs/rules/no-insecure-jwt.md)                   | CWE-347 | A02   | 7.5  | Detect JWT security issues           | 💼  |     |     |     | 🚫  |
 ### Input Validation & XSS (5 rules)
@@ -183,21 +202,27 @@ src/api.ts
 ### Session & Cookies (3 rules)
-| Rule                                                                       | CWE     | OWASP | CVSS | Description                       | 💼  | ⚠️  | 🔧  | 💡  |
-| -------------------------------------------------------------------------- | ------- | ----- | ---- | --------------------------------- | --- | --- | --- | --- |
-| [no-insecure-cookie-settings](./docs/rules/no-insecure-cookie-settings.md) | CWE-614 | A07   | 5.3  | Detect missing Secure/HttpOnly    |     | ⚠️  |     |     |
-| [no-missing-csrf-protection](./docs/rules/no-missing-csrf-protection.md)   | CWE-352 | A07   | 8.8  | Detect missing CSRF tokens        |     | ⚠️  |     |     |
-| [no-document-cookie](./docs/rules/no-document-cookie.md)                   | CWE-565 | A07   | 4.3  | Detect direct cookie manipulation |     | ⚠️  |     | 💡  |
+> [!WARNING]
+> **2 rules deprecated** — Use [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security) or [`eslint-plugin-nestjs-security`](https://www.npmjs.com/package/eslint-plugin-nestjs-security) for framework-specific cookie/CSRF detection.
+| Rule                                                                       | CWE     | OWASP | CVSS | Description                       | 💼  | ⚠️  | 🔧  | 💡  | 🚫  |
+| -------------------------------------------------------------------------- | ------- | ----- | ---- | --------------------------------- | --- | --- | --- | --- | --- |
+| [no-insecure-cookie-settings](./docs/rules/no-insecure-cookie-settings.md) | CWE-614 | A07   | 5.3  | Detect missing Secure/HttpOnly    |     | ⚠️  |     |     | 🚫  |
+| [no-missing-csrf-protection](./docs/rules/no-missing-csrf-protection.md)   | CWE-352 | A07   | 8.8  | Detect missing CSRF tokens        |     | ⚠️  |     |     | 🚫  |
+| [no-document-cookie](./docs/rules/no-document-cookie.md)                   | CWE-565 | A07   | 4.3  | Detect direct cookie manipulation |     | ⚠️  |     | 💡  |     |
 ### Network & Headers (5 rules)
-| Rule                                                                       | CWE      | OWASP | CVSS | Description                          | 💼  | ⚠️  | 🔧  | 💡  |
-| -------------------------------------------------------------------------- | -------- | ----- | ---- | ------------------------------------ | --- | --- | --- | --- |
-| [no-missing-cors-check](./docs/rules/no-missing-cors-check.md)             | CWE-942  | A05   | 7.5  | Detect missing CORS validation       |     | ⚠️  |     |     |
-| [no-missing-security-headers](./docs/rules/no-missing-security-headers.md) | CWE-693  | A05   | 5.3  | Detect missing security headers      |     | ⚠️  |     | 💡  |
-| [no-insecure-redirects](./docs/rules/no-insecure-redirects.md)             | CWE-601  | A01   | 6.1  | Detect open redirect vulnerabilities |     | ⚠️  |     | 💡  |
-| [no-unencrypted-transmission](./docs/rules/no-unencrypted-transmission.md) | CWE-319  | A02   | 7.5  | Detect HTTP instead of HTTPS         |     | ⚠️  |     |     |
-| [no-clickjacking](./docs/rules/no-clickjacking.md)                         | CWE-1021 | A05   | 6.1  | Detect clickjacking vulnerabilities  | 💼  |     |     |     |
+> [!WARNING]
+> **4 rules deprecated** — Use [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security) or [`eslint-plugin-nestjs-security`](https://www.npmjs.com/package/eslint-plugin-nestjs-security) for framework-specific CORS/header detection (helmet integration).
+| Rule                                                                       | CWE      | OWASP | CVSS | Description                          | 💼  | ⚠️  | 🔧  | 💡  | 🚫  |
+| -------------------------------------------------------------------------- | -------- | ----- | ---- | ------------------------------------ | --- | --- | --- | --- | --- |
+| [no-missing-cors-check](./docs/rules/no-missing-cors-check.md)             | CWE-942  | A05   | 7.5  | Detect missing CORS validation       |     | ⚠️  |     |     | 🚫  |
+| [no-missing-security-headers](./docs/rules/no-missing-security-headers.md) | CWE-693  | A05   | 5.3  | Detect missing security headers      |     | ⚠️  |     | 💡  | 🚫  |
+| [no-insecure-redirects](./docs/rules/no-insecure-redirects.md)             | CWE-601  | A01   | 6.1  | Detect open redirect vulnerabilities |     | ⚠️  |     | 💡  |     |
+| [no-unencrypted-transmission](./docs/rules/no-unencrypted-transmission.md) | CWE-319  | A02   | 7.5  | Detect HTTP instead of HTTPS         |     | ⚠️  |     |     |     |
+| [no-clickjacking](./docs/rules/no-clickjacking.md)                         | CWE-1021 | A05   | 6.1  | Detect clickjacking vulnerabilities  | 💼  |     |     |     | 🚫  |
 ### Data Exposure (2 rules)
@@ -387,7 +412,30 @@ A: Yes, fully compatible.
 ## 🔗 Related ESLint Plugins
-- [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) - specialized security rules for Vercel AI SDK applications.
+Part of the **Forge-JS ESLint Ecosystem** — AI-native security plugins with LLM-optimized error messages:
+### Migration Guide (v3.0.0)
+For **better coverage**, use these dedicated plugins instead of deprecated rules:
+| Deprecated Rules                                                                                                                                             | Migrate To                                                                                       | Why                                                             |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- |
+| `no-insecure-jwt`                                                                                                                                            | [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt)                           | 13 specialized rules vs 1 generic rule, CVE-2022-23540 coverage |
+| `no-weak-crypto`, `no-insufficient-random`, `no-timing-attack`, `no-insecure-comparison`                                                                     | [`eslint-plugin-crypto`](https://www.npmjs.com/package/eslint-plugin-crypto)                     | 24 rules, CVE-specific detection, library-aware                 |
+| `no-permissive-cors`, `no-missing-cors-check`, `no-missing-csrf-protection`, `no-insecure-cookie-settings`, `no-missing-security-headers`, `no-clickjacking` | [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security) | Framework-aware, helmet integration                             |
+### All Ecosystem Plugins
+| Plugin                                                                                               | Description                                                                | Rules |
+| ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | :---: |
+| [`eslint-plugin-jwt`](https://www.npmjs.com/package/eslint-plugin-jwt)                               | JWT security (algorithm confusion, weak secrets, claims validation)        |  13   |
+| [`eslint-plugin-crypto`](https://www.npmjs.com/package/eslint-plugin-crypto)                         | Cryptographic best practices (weak algorithms, key handling, CVE-specific) |  24   |
+| [`eslint-plugin-pg`](https://www.npmjs.com/package/eslint-plugin-pg)                                 | PostgreSQL/node-postgres security and best practices                       |  13   |
+| [`eslint-plugin-express-security`](https://www.npmjs.com/package/eslint-plugin-express-security)     | Express.js security (CORS, cookies, CSRF, helmet)                          |  15   |
+| [`eslint-plugin-nestjs-security`](https://www.npmjs.com/package/eslint-plugin-nestjs-security)       | NestJS security (guards, validation pipes, throttler)                      |  15   |
+| [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/eslint-plugin-lambda-security)       | AWS Lambda/Middy security (API Gateway, headers, validation)               |   9   |
+| [`eslint-plugin-vercel-ai-security`](https://www.npmjs.com/package/eslint-plugin-vercel-ai-security) | Vercel AI SDK security (OWASP LLM + Agentic Top 10)                        |  19   |
+| [`eslint-plugin-import-next`](https://www.npmjs.com/package/eslint-plugin-import-next)               | High-performance import linting with AI-guided cycle fixes                 |  12   |
 ## 📄 License

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "eslint-plugin-secure-coding",
-  "version": "2.2.6",
+  "version": "2.3.0",
   "description": "Security-focused ESLint plugin with 89 AI-parseable rules for detecting and preventing vulnerabilities. OWASP Top 10 2021 + Mobile Top 10 2024 coverage, CWE references, and AI-assisted fix guidance.",
   "type": "commonjs",
   "main": "./src/index.js",
@@ -72,15 +72,15 @@
     "@interlace/eslint-devkit": "^1.2.1",
     "tslib": "^2.3.0"
   },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "test:coverage": "vitest run --coverage"
+  },
   "devDependencies": {
     "@typescript-eslint/parser": "^8.46.2",
     "@typescript-eslint/rule-tester": "^8.46.2",
     "@vitest/coverage-v8": "^4.0.6",
     "vitest": "^4.0.6"
-  },
-  "scripts": {
-    "test": "vitest run",
-    "test:watch": "vitest watch",
-    "test:coverage": "vitest run --coverage"
   }
 }

package/src/rules/no-arbitrary-file-access/index.d.ts CHANGED Viewed

@@ -1,5 +1,12 @@
 /**
  * @fileoverview Prevent file access from user input
+ *
+ * False Positive Reduction:
+ * This rule detects safe patterns including:
+ * - path.basename() sanitization
+ * - path.join() with validated base directories
+ * - startsWith() validation guards
+ * - Early-return throw patterns
  */
 export interface Options {
 }